Jump to content
Sign in to follow this  
marinius

Services.cpi and Services.cpl

Recommended Posts

I have a full scan and MB flagged services.cpi and services.cpl as Heuristics.Reserved.Word.Exploit. What are these two files? I googled them but could not find any description. They are found at "C:\WINDOWS\system32\".

Share this post


Link to post
Share on other sites

The def is exactly as it says , a heuristic hit based on the fact that microsoft reserved words should never be used in this way .

If you could , please zip me a copy of that file and attach it to your next post , I want to have a look at it .

Share this post


Link to post
Share on other sites

This is looking like malware , I would remove the files for now .

Do you know what you were doing when these files first appeared ?

I need to look at a log as well to see if anything else is going on in your system . Download and run hijackthis :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Choose "do a system scan and save a logfile" . Open the saved load and then copy and paste the contents of the log into your next post .

Share this post


Link to post
Share on other sites

Hello nosirrah,

I noticed only those files when it was detected during the scan. I sent it to VirusTotal but it was cleared there. Anyway here's the HijackThis log you requested:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:32:26 PM, on 9/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\VMware\VMware Workstation\vmware-authd.exe

C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe

D:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O4 - Startup: AutorunsDisabled

O4 - Global Startup: AutorunsDisabled

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{36953CC5-377A-403E-9CEB-EB7C989611D2}: NameServer = 203.115.130.40 203.115.130.42

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Avira AntiVir Personal

Share this post


Link to post
Share on other sites

http://www.virustotal.com/analisis/984715e...dc964633098ca77

Today there are three hits , yesterday only one . This usually confirms new malware as FPs go in the other direction . The file itself has version info but does not mention any company name , this is also highly suspect . CPL files dont just appear and without you knowing what software you installed that uses this file I wont have any way to confirm that it is legit . Check the creation dates on these files , did you install any software around that time and if so , what software was it . The only two possibilities here are , malware and code from someone that clearly does not know what they are doing .

I might be able to tell you some more about this if you have this file in the same folder : pserv2.exe . If you do please zip and attach it as well .

Share this post


Link to post
Share on other sites

C:\WINDOWS\system32\cssdll32.dll

Get me a copy of this file as well , seems that there is a lot of people saying that it can be a trojan and I want to check for myself .

Share this post


Link to post
Share on other sites

Both services.cpi and services.cpl files had dates and times "modified" at 9/4/2008 5:17 AM, but it was at that time that I restored those files from the quarantine so I don't have any way of knowing its original date and time of installation. I restored it because I thought I have to verify from you first whether those are legit files or not before removing them. Here are the copies of the two files you requested (cssdll32.dll, pserv2.exe):

New_WinRAR_ZIP_archive.zip

New_WinRAR_ZIP_archive.zip

Share this post


Link to post
Share on other sites

Now we are getting somewhehre .

Click start , run and paste the following line into the run box (click OK after or press enter to execute the command) :

control c:\WINDOWS\system32\Services.cpl

Let me know if you have ever seen this before , it looks like some kind of obscure service control app that either you or a tech that has worked on your system in the past ran to either view or modify your services .

This is a FP and will be corrected in the next DB , thanks for the files and info .

Share this post


Link to post
Share on other sites

Hello nosirrah,

I have not seen this app before. Maybe your right (since there's no other explanation why it got there in the first place) that some tech installed it in my pc when I had it repaired last July.

Thank you very much for your help.

regards,

marinius

Share this post


Link to post
Share on other sites
Hello nosirrah,

I have not seen this app before. Maybe your right (since there's no other explanation why it got there in the first place) that some tech installed it in my pc when I had it repaired last July.

Thank you very much for your help.

regards,

marinius

I use this package that contains that during every repair or clean install I do. I say that because MBAM is on EVERY system I touch and I highly reccomend my customers use it ;)

Program here

http://www.wincert.net/forum/index.php?showtopic=337

Share this post


Link to post
Share on other sites

Yes Porthos, you're right. I explored/used this program after nosirrah explained to me what it was. Its useful. By the way, thanks for the link. I downloaded and installed it today.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.