Weird Services Installed.

Discussion in 'Windows & Other OS Discussion & Support' started by wilflare, Feb 15, 2005.

  1. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Hi all,

    Has anyone ever experienced an issue where Windows XP Home SP2 will have what that
    seems to be a randomly named service displayed in the services manager. The
    service has no description, and the path to executable is empty.

    Tried deleting using register editor-unable to do so due to error.
    Soon, some other service is installed with a different
    random name, again path to executable is empty and no service description.

    Currently have these 2.
    .neudionc
    adoiskoe

    A Trendmicro and Symantec online scan was done - Nothing.
    Spybot Adaware MS Antispyware - Nothing.

    help appreciated. thanks.
     
  2. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    are these 2 services listed under the 'HKLM\SYSTEM\CurrentControlSet\Services' registry key?

    what is value data of the value name "Start" for the services?
     
  3. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Yeap. there are.
    Value of 4 hexadecimal for both.
     
  4. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    Export these 2 below keys

    "HKLM\SYSTEM\CurrentControlSet\Services\adoiskoe"

    and

    "HKLM\SYSTEM\CurrentControlSet\Services\.neudionc"

    and then open the exported .reg files with your text editor and copy/paste the registration entries info here.

    ---

    the value data is the DWORD value = 00000004 (the service startup type = Disabled)
     
    Last edited: Feb 15, 2005
  5. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.neudionc]
    "ErrorControl"=dword:00000001
    "Type"=dword:00000020
    "Group"="FSFilter Physical Quota Management"
    "Tag"=dword:00000001
    "Start"=dword:00000004
    "DisplayName"=".neudionc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.neudionc\Enum]
    "0"="Root\\LEGACY_.NEUDIONC\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.neudionc\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
    00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
    05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
    20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
    00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,d8,00,af,00,f6,00,74,00,00,00,\
    9b,00,00,00,a2,00,00,0a,0a,00,00,00,00,00,e5,00,d5,00,53,00,85,00

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adoiskoe]
    "ErrorControl"=dword:00000000
    "Type"=dword:00000010
    "Group"="Keyboard Port"
    "Tag"=dword:00000001
    "Start"=dword:00000003

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adoiskoe\Security]
    "Security"=hex:01,00,14,80,30,00,00,00,3c,00,00,00,14,00,00,00,00,00,00,00,02,\
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,c8,00,45,00,b4,00,\
    c9,00,00,00,9a,00,00,00,8d,00,00,0a,0a,00,00,00,00,00,b5,00,18,00,ac,00,da,\
    00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adoiskoe\Enum]
    "0"="Root\\LEGACY_ADOISKOE\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
     
  6. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    i think these 2 are good services..

    the value data is the DWORD value,,
    00000004 = the service startup type is Disabled,
    00000003 = is Manual.
     
    Last edited: Feb 15, 2005
  7. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    i see but they never appeared until recently.
     
  8. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    i'll have to check it again later when i have time, if they are just a leftover entries from something then i'll help you remove it... later.
     
  9. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    ah. okay. =]
    really appreciate your help! =]
     
  10. md5

    md5 New Member

    Joined:
    Dec 9, 2004
    Messages:
    854
    Likes Received:
    2
    Trophy Points:
    0
    Strange, I can't find anything about these 2 services. They look more like parts of a trojan to me...

    Download Hijackthis from here:
    http://www.merijn.org/files/hijackthis.zip

    and paste the log it gives you
     
  11. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    thanks. here's the log.
    Logfile of HijackThis v1.99.0
    Scan saved at 12:03:01 AM, on 2/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\foobar2000\foobar2000.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\WINDOWS\Explorer.EXE
    E:\My Downloads\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.sg/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104162947515
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
    O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adoiskoe - Unknown - (no file)
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PDScheduler - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
     
  12. md5

    md5 New Member

    Joined:
    Dec 9, 2004
    Messages:
    854
    Likes Received:
    2
    Trophy Points:
    0
    Everything seems ok to me :)
    That unknown service (adoiskoe) is linking to an empty file, so it's harmless and, as Ctrl-Alt-Del told you, .neudionc is disabled

    It's strange that these services just popped up, but you don't seem to have any trojan in your system. Just delete the two keys:

    "HKLM\SYSTEM\CurrentControlSet\Services\adoiskoe"
    and
    "HKLM\SYSTEM\CurrentControlSet\Services\.neudionc"

    and they'll go away
     
  13. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    i can't find anything about those 2 service names either.

    according to your registry above there's no driver load during boot time. i think you can keep those registry entries til you can find more info about it,
    Or just remove it, i would.
    logon as Administrator or other account with the Admin privilege,
    if you still can't remove it, R-click on the key and select 'Permissions' then give yourself a Full control over the key and try to remove it again..
    if you have any problem after that, merge the registry entries back...

    ------

    For a service listed under CurrentControlSet\Services, the value of the Group entry plus any "Tag" entry determines the order in which the service is loaded. But not all services have a Tag entry, and not all groups have an entry in the "GroupOrderList" subkey. The "ServiceGroupOrder" subkey specifies the order for loading groups. The entries in the key are all of type REG_BINARY.
    These default entries define the order within groups:-

    Base Pointer Class Video Ndis SCSI Miniport Keyboard Port Primary Disk Keyboard Class Filter Pointer Port

    GroupOrderList Control Entries
    The entries in the GroupOrderList key specify the ordering of services within groups, under the following Registry path:
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList"

    ServiceGroupOrder Control Entries
    The ServiceGroupOrder key specifies the order to load various groups of services.
    Order within groups is specified using the value of Tag under the specific Services subkeys and the values in the GroupOrderList subkey. For example, when you start Windows NT, the Boot Loader scans the Registry for drivers with a Start value of 0 (which indicates that these drivers should be loaded but not initialized before the Kernel) and a Type value of 0x1 (which indicates a Kernel device driver such as a hard disk or other low- level hardware device driver). The drivers are then loaded into memory in the order specfied as the List value in the ServiceGroupOrder subkey.
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder"

    "List" REG_MULTI_SZ Group names..
    Specifies the order for loading drivers into memory.

    Value Name: List (from my XP system registry)
    System Reserved
    Boot Bus Extender
    System Bus Extender
    SCSI miniport
    Port
    Primary Disk
    SCSI Class
    SCSI CDROM Class
    FSFilter Infrastructure
    FSFilter System
    FSFilter Bottom
    FSFilter Copy Protection
    FSFilter Security Enhancer
    FSFilter Open File
    FSFilter Physical Quota Management
    FSFilter Encryption
    FSFilter Compression
    FSFilter HSM
    FSFilter Cluster File System
    FSFilter System Recovery
    FSFilter Quota Management
    FSFilter Content Screener
    FSFilter Continuous Backup
    FSFilter Replication
    FSFilter Anti-Virus
    FSFilter Undelete
    FSFilter Activity Monitor
    FSFilter Top
    Filter
    Boot File System
    Base
    Pointer Port
    Keyboard Port
    Pointer Class
    Keyboard Class
    Video Init
    Video
    Video Save
    File System
    Event Log
    Streams Drivers
    NDIS Wrapper
    COM Infrastructure
    UIGroup
    LocalValidation
    PlugPlay
    PNP_TDI
    NDIS
    TDI
    NetBIOSGroup
    ShellSvcGroup
    SchedulerGroup
    SpoolerGroup
    AudioGroup
    SmartCardGroup
    NetworkProvider
    RemoteValidation
    NetDDEGroup
    Parallel arbitrator
    Extended Base
    PCI Configuration
    MS Transactions

    ======

    When determining which driver to load, the OS loader first looks at the "Start Type" -- Boot, System, Auto, Demand. For drivers with the Boot, System or Auto start type, the OS loader looks at all drivers with the same start type, then loads them in order of their load order group and finally their Tag.
     
  14. Judas

    Judas Obvious Closet Brony Pony

    Joined:
    May 13, 2002
    Messages:
    39,827
    Likes Received:
    1,731
    Trophy Points:
    138
    imo.. i've found google to very excellent in the search of finding out what some of these startup names are...

    just go to google.. type in the exe name that's running.. or what's listed as the name in the msconfig startup...

    such as search for dllhost.exe

    or firstreboot.exe

    the first 10 sites usually spit out pretty solid results about what it does, if it's a virus.... if it's nessary.... if you can remove it....
     
  15. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    services were not start-ups and path to executable files are empty, no service description, can't find any info about the service names.

    there are many weird service names under the services registry keys.
     
  16. BWX

    BWX get out and ride

    Joined:
    Nov 29, 2002
    Messages:
    19,684
    Likes Received:
    63
    Trophy Points:
    73
    In the services list I also have some weird ones- nothing on google about them either.


    I disabled them.


    [​IMG]

    [​IMG]


    Strange... Can't do anything with them because the files are gone.
     
  17. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    you can remove it in the registry, so that it won't show in the Services applet.

    go to 'HKLM\SYSTEM\CurrentControlSet\Services',
    R-click on the Services and select Export. (for your backup)

    then locate those 2 services name under the folder "Services".
    R-click on the service name you want to remove and select Delete.
    then Reboot.


    =======================

    Export_Services_Reg.cmd
    Code:
    REGEDIT /E Services_Backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
    
    make sure the command will be in one line and no empty space at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
     
  18. BWX

    BWX get out and ride

    Joined:
    Nov 29, 2002
    Messages:
    19,684
    Likes Received:
    63
    Trophy Points:
    73
    Now that you say that- I looked and maybe I shouldn't.. I wish I knew what it was.
    [​IMG]
     
  19. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    you ask me, when we can't find any info about it,
    i would just remove it. but it's just me.
     
  20. wilflare

    wilflare New Member

    Joined:
    Jul 28, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    thanks for the replies so far.
    but is it possible o find out how they were created in the first place?

    I did a Last Known good Configuration when my system refused to boot if that has some effect.
     

Share This Page

visited