software distribution services 2.0

I am seeking any information about a program? called software distribution services.

Today when the computer was started I appeareared to have a "new" computer. The computer asked me to "view the windows tutorial" and to set up a new internet connection, including an email A/c. closing these dialog boxes revealed our internet connection intact and email still functioning, all my email contacts are still available however all folders and saved emails appear to have been deleted from outlook express.

System restore provided "check points" for a "Software Distribution Services 2.0" going back about a week or more sometimes several check Points in a day. System Restore check points prior to this are system checkpoints

I have not yet tried a system restore nor have I yet run your yuckware removal thread as i am not sure that this program? is yuckware

I have however run Ewido, cc cleaner, ad-aware and spybot and removed a downloader (inor.a) as well as a number of cookies.

a file search for Software Distribution Services 2.0 reaveals nothing. the only place this name comes up is in system restore.

A google search reveals very little of substance.
Would anyone like to comment on the ?program? "software Distribution Services 2.0

Win XP, firefox browser. Anti Virus is symantec and anti spywear is E trust pest patrol and last updated over the weekend. Please advise any additional info required

 

I have followed the instructions in the read me tutorial
microsoft windows maliciouse software removal tool is running in the background

ad aware reports 5 critical objects removed (all cookies)
spybot reports no infection
windows defender reports no infection

bit defender log attatched

active scan does not give an option to save a file. as there are other active scan logs attatched to other posts I am obviously not seeing something i should be. The window active scan runs in does not appear to be a full window and I am unable to expand this window. Possibly this is the cause.
active scan reports spyware 3, hacking tools (etc) 1

of note during the active scan a dialog box appeared asking me to change my profile I chose cancel.

 

Please complete step 7 of the READ & RUN ME FIRST Downloading, Installing, and Running HijackThis & empty your Norton Quarantine Folder.

 

Thank you for your time Abbysue.

there appears to be no files in symantec quarentine however i have deleted files from symantec backup. It may not be important but the AV is not Norton. it is symantec full version 9.0.3.1000. Borrowed from my sons school.

attatched is the active scan log run in normal mode

msconfig is set to boot normaly

attatched is hjt log

 

Norton is Symantec...they used to go by just 'Norton', I just never adjusted to calling them 'Symantec'

There are two things in particular I'm concerned about in your Activescan report but I would prefer they be looked at by chaslang or SPD as they have more experience in that area than I do along with having one of them look over your HJT log.

I do have a couple questions though to keep things moving along...

Is bigpond your ISP?
Do you have the purchased version of Ewido or are you using the trial?

 

correct on the ISP

ewido I assume is a trial version as it was a free internet download

it is very late here (AUST) so chaslang or SPD can take their time. I wont get any more done tonight or tomorrow.

 

It does not appear that this is a malware issue but let's go through a few things just to be sure.

Is this a corporate type pc or a home pc? Are there any other users? Have you recently installed any programs and if so, are they working ok?

Uninstall Ewido

Make sure viewing of hidden files is enabled (per the tutorial). Run HijackThis and select the following lines (if still present) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:

C:\WINDOWS\system32\sganpk_nav.dat
C:\WINDOWS\winsysupd91.dat

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Let's get an installed programs list from HijackThis.

Run HijackThis, click Open the Misc Tools section
Click Open Uninstall Manager
Click Save List (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment.

Something you may want to look at later. Is your java working ok? You have conflicting versions showing in your log.

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

Again, thank you for the assistance Abbysue

1. Home PC

2. In normal mode there are icons for 6 users

In safe mode there are icons for 2 users. Administrator and son 1. I am unsure why there are two users in safe mode however one user is my sons name. (i could do without this if it could be removed without affecting anything).
using explorer in safe mode reveals 10 users(!) 2 under my sons name. son1, and son1 4db16caetc, administrator, all users, default user, self, wife, daughter, local service, network services.

3. recently installed programs, morpheous 2 weeks? ago which I think the kids use for free songs etc from the intenet. I am suspiciouse of this program and the content it delivers.
A cd rom of dvd burning/playing programs which came bundled with the computer includes NERO and inCD.

ewido was uninstalled Via windows add/remove programs

HJT scan
Ewidoctrl.exe not present
016 ewidoonlinescan.cab present and fixed
023 service.......\ewidoctrl.exe not present

safe mode
show all files
of note here... I was unable to find system 32 until I unchecked "hide protected operating system files" might be something to keep in mind.

sganpk_nav.dat deleted
NB there are files present named sganpk_navps.dat and sganpk.dat (not deleted)

winsysup91.dat deleted.

Installed programs
I was unsure if i should boot to normal mode so attached are list from safe mode
i have included lists for both users in safe mode in case it shows something different. (sorry if this is too much info).

if you want logs for normal mode just ask and i will post them.

I noted a process running called MsMpeng.exe whilst i type this.
I note my email client has been reset (by the gremlin in my computer) to Outlook rather than outlook express as it usually is.

 

I have been unable to attatch the second installed programs list If you need it let me know.

 

You were unable to attach the second file because the contents were identical so no worry there.

MsMpeng.exe is part of Windows Defender auto protect and should be running.

You are right to be suspicious of Morpheus. Using any P2P opens you up to all kinds of viruses, trojans etc.. Additionally, Morpheus runs banner ads (some of which are not suitable for a younger audience!) so falls under the heading of adware.

RE: In safe mode there are 2 icons, Administrator and son1. Are you the Administrator and does son1 also have administrator privileges?

RE: In normal mode there are icons for 6 users. Is this how you have it set up or is this your computer gremlin creating additional accounts?

Let's try to dig a little deeper to see if anything is hiding.

1. Please download and unzip Rootkit Revealer to your desktop.
2. Please leave the defaults set as they are to:
   • Hide NTFS Metadata Files: this option is on by default
   • Scan Registry: this option is on by default.
3. Launch rootkit revealer on the system and press the Scan button.
4. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
5. The log can be very large please edit out the items in the following folders in the log : C:\System Volume Information, if in the log, before attaching it.
6. Please attach the the log here in this thread to your next post.

 

RE: In safe mode there are 2 icons, Administrator and son1. Are you the Administrator and does son1 also have administrator privileges?

Yes both have admin priveliges. My kids are old enough to deal with what ever comes their way, however i see no need to have 2 administrators on the system

RE: In normal mode there are icons for 6 users. Is this how you have it set up or is this your computer gremlin creating additional account.
6 users is how I set the system up.

thanks for the info on morpheous I will pass this info onto my family

you mentioned a conflict re Java I have no issues with Java however I am unsure what the symptoms might be.

I neglected to disconnect from the internet at the (modem) however i have attatched the log anyway. I will immediatly run another scan and post it in the the morning unless you tell me not to.

Nb windows update has given me an update for outlook today 18th mar which is why the email client changed from express to outlook. This has happened before, a nusiance but i can deal with it. I cannot deal with all my saved email folders just dissapearing into the ether.

 

how about I actualy attatch the log to my message

 

rootkit revealer shows nothing to report when run with the internet turned off.