Recurring wintcp.exe+slsvce.exe etc

Status
Not open for further replies.

F.I.A

Posts: 6   +0
I have followed the thread found in the stickied to remove the stated infection. However, they still persist on, even with system recovery turned off.

Attached is the hijackthis log. No rootkit is found from Panda Antirootkit.

OS: Win XP SP2

Notable symptoms:
1) Creation of password protected username account on the next boot(Not often).
2) Cluttering ammount of cmd.exe in the taskmanager(Each sizes of around 40-60k) when infection was found by either AVG or AVG Anti-Spyware.

Thanks beforehand.
 
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

C:\fixwareout\report.txt

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Software Licensing Server (SLsvce)

Close the services window.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Slsvce.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O17 - HKLM\System\CCS\Services\Tcpip\..\{A21BC8C1-018C-4005-842D-0723A3334A65}: NameServer = 85.255.113.115,85.255.112.70

O23 - Service: Software Licensing Server (SLsvce) - Unknown owner - C:\WINDOWS\system\Slsvce.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system\Slsvce.exe

Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt


Post the Combofix log as well as the Fixwareout log, plus a fresh HJT log.

This thread is for the use of F.I.A only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
The slsvce.exe has not been recurring, but the wintcp.exe is still on rampage.

Another known sypthoms:
Under the toolbars, there will be a malicious toolbar named "The Language Bar" instead of the normal "Language Bar". When I turn it off, it will sometimes persist on, causing the task manager to generate to windows per action(For example, two instances of this link, but closing one will close both). Unfortunately, I am not able to reproduce it to screenshot.
 
Your HJT log is now clean, so let`s deal with the other infections.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:
File::
C:\WINDOWS\system32\antivir.PIF
C:\WINDOWS\system32\vis.bat
C:\WINDOWS\system32\me.exe
C:\WINDOWS\system32\3389.reg
C:\WINDOWS\system32\mswsc.exe
C:\WINDOWS\system32\rewxejtbtsr32.exe
C:\WINDOWS\system32\data.bat
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\home.sys
C:\WINDOWS\system32\msnpla.exe
C:\WINDOWS\system32\27031_mssql.exe
C:\WINDOWS\system32\antivir.exe
C:\WINDOWS\system32\CoreVorbis-uninstall.exe
C:\WINDOWS\system32\2A0B5D5710.sys
C:\WINDOWS\system\Slsvce.exe
C:\WINDOWS\system32\OggDSuninst.exe

Folder::
C:\WINDOWS\system32\x
C:\WINDOWS\system32\rasbin

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f76e37c-a1b6-11db-8d93-001485ef967f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8a9d8a2-244f-11db-8c8f-001485ef967f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15857fe-20b1-11db-8c81-001485ef967f}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SLsvce"=-
"UspService"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

This thread is for the use of F.I.A only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
After 2 days, the wintcp.exe and 84785_mssql[1].exe have recurred.

Attached the combofix log.
 
Can you please give me the file paths to the wintcp.exe and 84785_mssql[1].exe files?

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system\Slsvce.exe
C:\WINDOWS\system32\TraceDriver.sys
Folder::
C:\WINDOWS\system32\x
C:\Program Files\Combined Community Codec Pack
C:\WINDOWS\system32\rasbin


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

84785_mssql.exe
84785_mssql.exe
wintcps.exe
27031_mssql.exe

Close task manager.

Locate and delete the following bold files and/or folders(if there).

C:\wintcps.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\69XRWL9L\84785_mssql.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SDS90L6D\84785_mssql.exe

C:\WINDOWS\system32\crazy.dll
C:\WINDOWS\system32\27031_mssql.exe
C:\WINDOWS\system32\rpcall.exe

C:\WINDOWS\system32\x<Delete the entire folder.
C:\WINDOWS\system32\msnpla.exe
C:\WINDOWS\rblky.sys

C:\WINDOWS\system\Slsvce.exe
C:\WINDOWS\system32\rasbin<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs and let me know if you`re still having problems.
 
I tried to delete the state files manually, but seems like they cannot be deleted, so I run a combofix to remove them. However, the wintcps.exe recurs again(Also the 27031_mssql.exe).

Attached the combofix run and hijackthis log in normal mode.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O17 - HKLM\System\CCS\Services\Tcpip\..\{A21BC8C1-018C-4005-842D-0723A3334A65}: NameServer = 85.255.113.115,85.255.112.70

Click on the fix checked button.

Close HJT.

Reboot into normal mode and rehide your protected OS files.


1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
 
Status
Not open for further replies.
Back