| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 49539 | 2004-09-22 13:08:00 | Virus Services.exe gone but problem remains :( | Codex (3761) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 274679 | 2004-09-22 13:08:00 | i manually removed the virus file services.exe but now all the main windows core applications and startup process's aren't starting anymore because they are depending on the services.exefile in which i pernamently deleted(woops) so can someone please help???:( | Codex (3761) | ||
| 274680 | 2004-09-22 13:30:00 | You moved it to your recycle bin and then emptied the bin? You could try an undelete program to recover the file assuming you haven't written a lot of data to the drive in the interim. Other thoughts are especially as you don't state what operating system you are using is if you have XP or ME is to use the system restore facilty providing you had it turned on before hand and roll back to a suitable restore point. |
Exwesty (5639) | ||
| 274681 | 2004-09-22 13:58:00 | Windows 98SE, unfortunately no setup programs will execute either | Codex (3761) | ||
| 274682 | 2004-09-22 14:06:00 | Codex, I don't quite know what is going on with your computer. I have just searched my Win98SE for "services.exe" and it doesn't exist. I thought if it wasn't too big I could email it to you as a zipped file but I can't find it at all. What say you to that? |
zqwerty (97) | ||
| 274683 | 2004-09-22 19:59:00 | have you tried scanreg/restore (to before you deleted this file it has saved me before)you have to do it from a dos session f8 boot select dos prompt only or even sfc/scannow if you havent got the 98 install cdrom The cab files are normally in c:\windows\command\options | beama (111) | ||
| 274684 | 2004-09-22 21:24:00 | Hmm this services . exe might belong to Mydoom, or a variant, a worm . With backdoor capabilities . W32/MyDoom-O is a mass-mailing worm which spreads by emailing itself via its own SMTP engine . The worm also allows unauthorised remote access to the computer via a network . When first run the worm copies itself to either the Windows or Temp folders as java . exe and adds one of the following registry entries to ensure that the copy is run each time Windows starts: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \JavaVM HKCU\Software\Microsoft\Windows\CurrentVersion\Run \JavaVM HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Services HKCU\Software\Microsoft\Windows\CurrentVersion\Run \Services W32/MyDoom-O also creates a file named services . exe in the Windows or Temp folder and runs the file . Services . exe is the backdoor component of W32/MyDoom-O W32/MyDoom-O searches the hard disk email addresses . The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book . In addition the worm may use an internet search engine to find more email addresses . The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses . The internet search engines used by W32/MyDoom-O and the percentage chance that each is used are: www . google . com (45%) search . lycos . com (22 . 5%) search . yahoo . com (20%) www . altavista . com (12 . 5%) When choosing addresses to send itself to W32/MyDoom-O will avoid addresses which contain any of the following strings: mailer-d spam abuse master sample accoun privacycertific bugs listserv submit ntivi support admin page the . bat gold-certs ca feste not help foo no soft site rating me you your someone anyone nothing nobody noone info winrar winzip rarsoft sf . net sourceforge ripe . arin . gnu . gmail seclist secur bar . foo . com trend update uslis domain example sophos yahoo spersk panda hotmail msn . msdn . microsoft sarc . syma avp The email sent by the worm has a spoofed sender . The subject line may be blank or one of the following: hello hi error status test report delivery failed Message could not be delivered Mail System Error - Returned Mail Delivery reports about your e-mail Returned mail: see transcript for details Returned mail: Data format error The message text of the email is constructed from a set of optional strings within the worm . The message sent is blank or similar to one of the following messages: Dear user of <domain> Mail server administrator of <domain> would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week . We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server . Please follow our instructions in the attachment file in order to keep your computer safe . Virtually yours <domain> user support team . The message could not be delivered The original message was included as attachment The original message was received at <time> from <address> ----- The following addresses had permanent fatal errors ----- <address> ----- Transcript of the session follows ----- . . . while talking to host <hostname>: >>> MAIL From:<address> <<< 501 User unknown Session aborted >>> RCPT To:<address> <<< 550 MAILBOX NOT FOUND The message was undeliverable due to the following reason(s): Your message was not delivered because the destination computer was not reachable within the allowed queue period . The amount of time a message is queued before it is returned depends on local configuration parameters . Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now . Your message was not delivered within <number> days: Mail server <hostname> is not responding The following recipients did not receive this message: <address> Please reply to postmaster@<domain> if you feel this message to be in error . The attached file may be named similarly to the recipient's username or domain or using one of the following names: readme instruction transcript letter file text attachment document message with an optional extension of DOC, TXT, HTM, HTML and a final extension of EXE, COM, BAT, CMD, SCR or PIF . The attached file may also be a zip file con Stinger . nai . com/VIL/STINGER/" target="_blank">vil . nai . com may have got rid of it for you See if this removes the registry info . symantec . com/avcenter/FxMydoom . exe" target="_blank">securityresponse . symantec . com It MIGHT fix the services prob if it removes the entries for Mydoom in the registry . |
Spacemannz (808) | ||
| 274685 | 2004-09-22 23:34:00 | Codex: Sounds like you have a few problems there. FAQ #16 might be of some use to you. Browse down to the bottom post and scroll up to get to the "final" version. Link to FAQs top right of this page. |
Susan B (19) | ||
| 274686 | 2004-09-23 01:02:00 | the 'my.doom' remover doesn't execute because all stand alone exe files and executables now depend on the execution of services.exe(the virus) :( and i can't run many applications because of this dependency. I can't run regedit to remove the startup process of 'my.doom' Further help please? |
Codex (3761) | ||
| 274687 | 2004-09-23 01:10:00 | Will it work in safe mode?? the mydoom.exe or regedit/anything?? | Spacemannz (808) | ||
| 274688 | 2004-09-23 01:14:00 | Well i usually use winxp pro on my other machines but i dont know how to use safe mode in win98se anymore but if sum1 tells me i'll try it Thx Codex |
Codex (3761) | ||
| 1 2 | |||||