[wilflare]

Hi all,

Has anyone ever experienced an issue where Windows XP Home SP2 will have what that
seems to be a randomly named service displayed in the services manager. The
service has no description, and the path to executable is empty.

Tried deleting using register editor-unable to do so due to error.
Soon, some other service is installed with a different
random name, again path to executable is empty and no service description.

Currently have these 2.
.neudionc
adoiskoe

A Trendmicro and Symantec online scan was done - Nothing.
Spybot Adaware MS Antispyware - Nothing.

help appreciated. thanks.

[PangingJr]

are these 2 services listed under the 'HKLM\SYSTEM\CurrentControlSet\Services' registry key?

what is value data of the value name "Start" for the services?

[wilflare]

Yeap. there are.
Value of 4 hexadecimal for both.

[PangingJr]

Export these 2 below keys

"HKLM\SYSTEM\CurrentControlSet\Services\adoisk oe"

and

"HKLM\SYSTEM\CurrentControlSet\Services\.neudi onc"

and then open the exported .reg files with your text editor and copy/paste the registration entries info here.

---

Quote:

Originally Posted by wilflare

Yeap. there are.
Value of 4 hexadecimal for both.

the value data is the DWORD value = 00000004 (the service startup type = Disabled)

[wilflare]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\.neudionc]
"ErrorControl"=dword:00000001
"Type"=dword:00000020
"Group"="FSFilter Physical Quota Management"
"Tag"=dword:00000001
"Start"=dword:00000004
"DisplayName"=".neudionc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\.neudionc\Enum]
"0"="Root\\LEGACY_.NEUDIONC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\.neudionc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00 ,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02 ,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00 ,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00 ,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,d8,00 ,af,00,f6,00,74,00,00,00,\
9b,00,00,00,a2,00,00,0a,0a,00,00,00,00,00,e5,00,d5 ,00,53,00,85,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Adoiskoe]
"ErrorControl"=dword:00000000
"Type"=dword:00000010
"Group"="Keyboard Port"
"Tag"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Adoiskoe\Security]
"Security"=hex:01,00,14,80,30,00,00,00,3c,00,00,00 ,14,00,00,00,00,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,c8,00,45,00,b4,00,\
c9,00,00,00,9a,00,00,00,8d,00,00,0a,0a,00,00,00,00 ,00,b5,00,18,00,ac,00,da,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Adoiskoe\Enum]
"0"="Root\\LEGACY_ADOISKOE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[PangingJr]

i think these 2 are good services..

the value data is the DWORD value,,
00000004 = the service startup type is Disabled,
00000003 = is Manual.

[wilflare]

i see but they never appeared until recently.

[PangingJr]

i'll have to check it again later when i have time, if they are just a leftover entries from something then i'll help you remove it... later.

[wilflare]

ah. okay. =]
really appreciate your help! =]

[md5]

Strange, I can't find anything about these 2 services. They look more like parts of a trojan to me...

Download Hijackthis from here:
http://www.merijn.org/files/hijackthis.zip

and paste the log it gives you

[wilflare]

thanks. here's the log.
Logfile of HijackThis v1.99.0
Scan saved at 12:03:01 AM, on 2/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\Explorer.EXE
E:\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104162947515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
O17 - HKLM\System\CS3\Services\Tcpip\..\{0922A173-1438-4444-9432-57F381E40ADE}: NameServer = 202.156.1.58,202.156.1.48,218.186.1.38
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adoiskoe - Unknown - (no file)
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

[md5]

Everything seems ok to me
That unknown service (adoiskoe) is linking to an empty file, so it's harmless and, as Ctrl-Alt-Del told you, .neudionc is disabled

It's strange that these services just popped up, but you don't seem to have any trojan in your system. Just delete the two keys:

"HKLM\SYSTEM\CurrentControlSet\Services\adoisk oe"
and
"HKLM\SYSTEM\CurrentControlSet\Services\.neudi onc"

and they'll go away

[PangingJr]

i can't find anything about those 2 service names either.

according to your registry above there's no driver load during boot time. i think you can keep those registry entries til you can find more info about it,
Or just remove it, i would.
logon as Administrator or other account with the Admin privilege,
if you still can't remove it, R-click on the key and select 'Permissions' then give yourself a Full control over the key and try to remove it again..
if you have any problem after that, merge the registry entries back...

------

For a service listed under CurrentControlSet\Services, the value of the Group entry plus any "Tag" entry determines the order in which the service is loaded. But not all services have a Tag entry, and not all groups have an entry in the "GroupOrderList" subkey. The "ServiceGroupOrder" subkey specifies the order for loading groups. The entries in the key are all of type REG_BINARY.
These default entries define the order within groups:-

Base Pointer Class Video Ndis SCSI Miniport Keyboard Port Primary Disk Keyboard Class Filter Pointer Port

GroupOrderList Control Entries
The entries in the GroupOrderList key specify the ordering of services within groups, under the following Registry path:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\GroupOrderList"

ServiceGroupOrder Control Entries
The ServiceGroupOrder key specifies the order to load various groups of services.
Order within groups is specified using the value of Tag under the specific Services subkeys and the values in the GroupOrderList subkey. For example, when you start Windows NT, the Boot Loader scans the Registry for drivers with a Start value of 0 (which indicates that these drivers should be loaded but not initialized before the Kernel) and a Type value of 0x1 (which indicates a Kernel device driver such as a hard disk or other low- level hardware device driver). The drivers are then loaded into memory in the order specfied as the List value in the ServiceGroupOrder subkey.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\ServiceGroupOrder"

"List" REG_MULTI_SZ Group names..
Specifies the order for loading drivers into memory.

Value Name: List (from my XP system registry)
System Reserved
Boot Bus Extender
System Bus Extender
SCSI miniport
Port
Primary Disk
SCSI Class
SCSI CDROM Class
FSFilter Infrastructure
FSFilter System
FSFilter Bottom
FSFilter Copy Protection
FSFilter Security Enhancer
FSFilter Open File
FSFilter Physical Quota Management
FSFilter Encryption
FSFilter Compression
FSFilter HSM
FSFilter Cluster File System
FSFilter System Recovery
FSFilter Quota Management
FSFilter Content Screener
FSFilter Continuous Backup
FSFilter Replication
FSFilter Anti-Virus
FSFilter Undelete
FSFilter Activity Monitor
FSFilter Top
Filter
Boot File System
Base
Pointer Port
Keyboard Port
Pointer Class
Keyboard Class
Video Init
Video
Video Save
File System
Event Log
Streams Drivers
NDIS Wrapper
COM Infrastructure
UIGroup
LocalValidation
PlugPlay
PNP_TDI
NDIS
TDI
NetBIOSGroup
ShellSvcGroup
SchedulerGroup
SpoolerGroup
AudioGroup
SmartCardGroup
NetworkProvider
RemoteValidation
NetDDEGroup
Parallel arbitrator
Extended Base
PCI Configuration
MS Transactions

======

When determining which driver to load, the OS loader first looks at the "Start Type" -- Boot, System, Auto, Demand. For drivers with the Boot, System or Auto start type, the OS loader looks at all drivers with the same start type, then loads them in order of their load order group and finally their Tag.

[Judas]

imo.. i've found google to very excellent in the search of finding out what some of these startup names are...

just go to google.. type in the exe name that's running.. or what's listed as the name in the msconfig startup...

such as search for dllhost.exe

or firstreboot.exe

the first 10 sites usually spit out pretty solid results about what it does, if it's a virus.... if it's nessary.... if you can remove it....

[PangingJr]

services were not start-ups and path to executable files are empty, no service description, can't find any info about the service names.

there are many weird service names under the services registry keys.

[BWX]

In the services list I also have some weird ones- nothing on google about them either.


I disabled them.







Strange... Can't do anything with them because the files are gone.

[PangingJr]

Quote:

Originally Posted by BWX

Strange... Can't do anything with them because the files are gone.

you can remove it in the registry, so that it won't show in the Services applet.

go to 'HKLM\SYSTEM\CurrentControlSet\Services',
R-click on the Services and select Export. (for your backup)

then locate those 2 services name under the folder "Services".
R-click on the service name you want to remove and select Delete.
then Reboot.


=======================

Export_Services_Reg.cmd

Code:

REGEDIT /E Services_Backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"

make sure the command will be in one line and no empty space at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces"

[BWX]

Now that you say that- I looked and maybe I shouldn't.. I wish I knew what it was.

[PangingJr]

you ask me, when we can't find any info about it,
i would just remove it. but it's just me.

[wilflare]

thanks for the replies so far.
but is it possible o find out how they were created in the first place?

I did a Last Known good Configuration when my system refused to boot if that has some effect.

[PangingJr]

Okay, maybe we can get some info about these 2 items off your registry..
go to http://www.billsway.com/vbspage/
and D/L the Registry Search Tool... RegSrch.vbs,

run this tool to search...

1) LEGACY_ADOISKOE
2) LEGACY_.NEUDIONC
3) ADOISKOE
4) .NEUDIONC,

then post anything that you think it might help..

[PangingJr]

i would also try using the /BOOTLOG boot options, you can add this boot.ini switch via msconfig ->BOOT.INI tab.

after rebooted locate and then open the file x:\WINDOWS\ntbtlog.txt.

see if you find anything like "adoiskoe.sys" in the 'Did not load driver' lines

here's an example of the file ntbtlog.txt.

Code:

 Service Pack 2 1  1 2005 02:40:18.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Did not load driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
...
...

[wilflare]

thanks so far but still could not find anything.

[ZmanA]

I just found a new service that sounds just like yours, but with a different name. Can't find anything on it with Google. Mine's called "Osspor5xnrup". It just showed up one day. I had not installed any new software I can remember. I removed the registry entry but I had to change permissions first. I've attached the registry entries below. Windows XP/SP2 with updates current as of today. Where else can I look on my system for any other vestiges of this? Might there be a DLL somewhere with the same name (Osspor5xnrup.dll or .sys or something...)?


REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Osspor5xnrup]
"ErrorControl"=dword:00000001
"Type"=dword:00000010
"Group"="FSFilter Bottom"
"Tag"=dword:00000001
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Osspor5xnrup\Security]
"Security"=hex:01,00,...etc...<I removed this data for brevity>...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Osspor5xnrup\Enum]
"0"="Root\\LEGACY_OSSPOR5XNRUP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001