suspect service

hi
someone could help me?

i ve found a strange error in the system event log
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 23/08/2008
Time: 17.50.47
User: N/A
Computer: XXXXXXXXXXXX
Description:
The IxiqZBmXFNfTwX service hung on starting.

so i take a look at the services and i found

Service Name Authorization
Display name IxiqZBmXFNfTwX
Description zOAnZRigObPn
Pathh to executable C:\WINNT\System32\svchost.exe -k Authorization
Startup type Automatic
Service status Starting

OS is 2K SP4
CPU is Celeron 1200

i ve submitted svchost.exe to an on line verification tool and this is the result

Scan taken on 23 Aug 2008 16:41:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


system has been scanned by Superantispyware, Malwarebytes, SpyBot s&D, Ikarus virus utilities, Kaspersky on line, Panda on line and results free of viruses

thanks in advance

 

Ty chaslang,

so i followed yr instructions as u can see some logs attached

unfortunately:

1) i didnt run Combofix because i can't find W2K installation CD to install Windows Console Manager and i m afraid of damage this PC running Combofix without installing that

2) MGTools gave me the 16 bit MS-DOS Subsystem Error:
c:\WINNT\system32\cmd.exe
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. Virtual Device Driver format in the registr is invalid. Choose 'Close' to terminate the application.

so i followed the instructions on
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q254914

but i discovered with surprise the the key VirtualDeviceDrivers is totally missing! in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

so i pressed 'Ignore' instead of 'Close' to the error window and some result of MGTools are in the attached log

I also tried to start MGTools in safe mode but i ve found with horror that this computer shows a Blue Screen 07b in safe mode (and also in safe mode with command prompt), just after Mup.sys. Anyway this computer starts well in Normal mode

3) i attach a Gmer log in the next post

thank you again

PS sorry for any bad english cause here is italy

 

this is gmer 1.0.14.14536 log

 

my antivirus Ikarus virus.utilities just now has found (and destoyed?) a virus:

date/time: 25/08/2008 18.05.39
filename: run2.vbs
original path: c:\WINNT\
filesize: 0.50 KB
virusname: Trojan.VBS.TQK
suggestion: saved & deleted
signatureId: 18085417

 

thanks a lot chaslang
i hope now i'm malaware clean but unfortunately the strange service is still in the list of the services


in addition i ve verified user profiles in the system properties windows and the list is very suspect:

Name Size Type Modified
Account Unknown 116150 KB Local 26/08/2008
Account Unknown 3806004 KB Local 26/08/2008
Account Unknown 3075 KB Local 26/08/2008
FLI-HOME\Administrator 1880240 KB Local 26/08/2008

The Computer Management application shows instead only these users

Administrator
Guest

could be the 'account unknown' a login to different domains not avalaible at the moment (legacy LAN)? do that could be the reason why the details are not available at system properties? (as you can see on \Documents and Settings\ are listed various users)

 

I know that bumping the thread will retard the answer but i'm desperate!

again another new virus found!

date/time: 26/08/2008 23.10.14
filename: Logo1_.exe
original path: c:\WINNT\
filesize: 88 KB
virusname: Trojan-Spy.Win32.Delf.PG
suggestion: Save & Delete
signatureId: 315550


help!

 

yes i know sorry

00370595 and FLI are accounts that I created
the others (Administrator, All Users, Default User, helpdesk) aren't.
i suppose the first three are normal, but i don't remember the creation of helpdesk user and i d like to remove but i m not able to
i often access to a corporate LAN with this computer maybe the company created that account

yes every day some new virus i m becoming paranoic

today Ikarus found this

date/time: 27/08/2008 23.36.02
filename: FireFoxUpdater.exe
original path: c:\WINNT\
filesize: 177.5 KB
virusname: Trojan.Buzus.iij
suggestion: Save & Delete
signatureId: 267935

and Sophos AV (that i just installed) discovered 8 istances of a virus named Mal/IFrame-F in some files in the cache of internet explorer such adserve.htm, chart.asp, and others

PS in the while i ve disabled the suspect service

 

No. Do you suggest to unintalling it?

 

tried to follow your suggestion as in the sticky thread "How to protect yourself from malware!"

this showed me other problems:

1) Ikarus detect a virus named Win32.SuspectCrc in the setup of Comodo BOClean Anti-Malware

date/time: 28/08/2008 17.30.57
filename: CBO_Setup_4.27.exe
original path: c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\W7KVQDMX\
filesize: 1816.37 KB
virusname: Win32.SuspectCrc
suggestion: deleted
signatureId: 20841621

2) so i installed Spyware Terminator but it's quite slowing computer performances

3) i'm not able to do oher downloads even from majorgeeks.com after installing Online Armor Personal Firewall (free edition). maybe could you please suggest me some guidelines to correctly setup it?

thank you very much

 

ok i uninstalled it

PC is Celeron 1200 RAM 376

do you suggest another firewall?

thanks for all

 

first of all thank you very very much for your close attention

yes this is a sweet old machine but i need to use this for several reasons
i changed Armor with Jetico that seems to be less resource consuming and it seems to work good even if i dont understand what to answer to the pop up windows concerning datagrams, inbound connections to 445 port and so on (i always allow them)

i also did:
1) cleared all the keys you showed me cause are reall unecessary

O4 - HKUS\.DEFAULT\..\Run: [MS Java virtual machine] javavm.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')


O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe


O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe


2) uninstall Sophos AV cause was a trial version near to the end and i stll use Ikarus

3) unistall Web Security Guard with Crawler Toolbar as you suggested, but i noticed that still remains keys about Webcrawler in the analyze log. so i attach here a new Mgtools.log

4) noticed the suspect service is still there, the Safe Boot still don't start and that there are a lot of errors in the event log (i only report once the errors - the last istance - but they are recurring very often):

system log errors:
4.a) Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2012
Date: 31/08/2008
Time: 0.39.25
User: N/A
Computer: FLI-HOME
Description:
The server has encountered a network error.
Data:
0000: 00 00 04 00 01 00 54 00 ......T.
0008: 00 00 00 00 dc 07 00 c0 ....Ü..À
0010: 00 00 00 00 3d 02 00 c0 ....=..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 57 09 00 00 W...


4.b) Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 54
Date: 31/08/2008
Time: 16.51.42
User: N/A
Computer: FLI-HOME
Description:
The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.
Data:
0000: e5 03 00 00 å...

4.c)
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10003
Date: 31/08/2008
Time: 17.18.30
User: N/A
Computer: FLI-HOME
Description:
Access denied attempting to launch a DCOM Server using DefaultLaunchPermssion. The server is:
{00020906-0000-0000-C000-000000000046}
The user is Unavailable/Unavailable, SID=Unavailable.

application log errors:
4.d)
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 31/08/2008
Time: 1.43.56
User: NT AUTHORITY\SYSTEM
Computer: FLI-HOME
Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).

4.e)
Event Type: Error
Event Source: Perflib
Event Category: None
Event ID: 2002
Date: 31/08/2008
Time: 16.51.21
User: N/A
Computer: FLI-HOME
Description:
The open procedure for service "PerfDisk" in DLL "C:\WINNT\SYSTEM32\perfdisk.dll" has taken longer than the established wait time to complete. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted.

4.f)
Event Type: Warning
Event Source: PerfDisk
Event Category: None
Event ID: 2001
Date: 30/08/2008
Time: 2.21.55
User: N/A
Computer: FLI-HOME
Description:
Unable to read the disk performance information from the system. Disk performance counters must be enabled for at least one physical disk or logical volume in order for these counters to appear. Disk performance counters can be enabled by using the Hardware Device Manager property pages. Status code returned is data DWORD 0.
Data:
0000: 6f 10 00 00 o...

security log:
is totally empty (i controlled properties and they are set to log every event and to be stored for 7 days

5) noticed in the Computer Management/System Tools/Shared Folders/Session two sessions without name or properties so i disconnected them. Concerned of that, I ve also tried - but unsuccesfully - to unshare ADMIN$ C$ and IPC$

 

i ve successfully disabled netbios over tcp but i can t disable 445 port without being cutted off the corporate lan

done

done. seems work as usual. i ll verify if pc works on the corporate lan too. if it will not, there is a way to roll back?

here are the logs and thanks

 

i'm very sorry for boring you again but the others AV doesn't show any problem but kaspersky online do

please note that some week ago both Ikarus and a previous installation of Kaspersky reported that they have been cleaned the pst archive from Email-Worm.Win32.Wallon.a

do you think it is a dangerous menace?

 

ok but how can i do? i need of that Outlook archive and cannot delete it.

ok thanks

Not really but i noticed that if i dont block all datagrams and inbound connections a few minutes later i found sessions active and open files like PIPE\BROWSER (i dont know whats that)
seems like i m heavy scanned from some other internet users and it s very annoying blocking all these connections

i'll do
thank you very very much