cleaned out
Started by
j1a3g8
, May 06 2011 04:55 AM
#16
Posted 11 May 2011 - 05:36 PM
j1a3g8
- Topic Starter
-
- Member
-
- 12 posts
Member
#17
Posted 11 May 2011 - 05:44 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Don't know why it keeps doing that. Certainly we didn't do anything to cause it. Can you run VEW and let's see if it left any tracks.
"volsnap.sys.vir" was something that combofix fixed for us. The .vir extension is Combofix's way of disabling it so Avast didn't find anything new.
Ron
"volsnap.sys.vir" was something that combofix fixed for us. The .vir extension is Combofix's way of disabling it so Avast didn't find anything new.
Ron
#18
Posted 11 May 2011 - 05:55 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
See if there is a log from chkdsk. It should be at C:\bootex.log
It could be that we still have an infection but if so it is well hidden.
See if you can run GMER.
Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
Ron
It could be that we still have an infection but if so it is well hidden.
See if you can run GMER.
Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
- Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
- Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
- Allow the driver to load if asked.
- You may be prompted to scan immediately if it detects rootkit activity.
- If you are prompted to scan your system click "No", save the log and post back the results.
- If not prompted, click the "Rootkit/Malware" tab.
- On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
- Select all drives that are connected to your system to be scanned.
- Click the Scan button to begin. (Please be patient as it can take some time to complete)
- When the scan is finished, click Save to save the scan results to your Desktop.
- Save the file as Results.log and copy/paste the contents in your next reply.
- Exit the program and re-enable all active protection when done.
Ron
#19
Posted 11 May 2011 - 06:00 PM
j1a3g8
- Topic Starter
-
- Member
-
- 12 posts
Member
Vino's Event Viewer v01c run on Windows Vista in English
Report run at 11/05/2011 7:59:24 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2011 11:21:03 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Log: 'System' Date/Time: 11/05/2011 11:21:03 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).
Log: 'System' Date/Time: 11/05/2011 11:49:35 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).
Log: 'System' Date/Time: 11/05/2011 11:51:32 PM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 7:49:17 PM on 5/11/2011 was unexpected.
Log: 'System' Date/Time: 11/05/2011 11:53:02 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2011 11:19:14 PM
Type: Warning Category: 0
Event: 5014 Source: NETw4v32
Intel® Wireless WiFi Link 4965AGN : The driver cannot function because the network adapter is disabled.
Log: 'System' Date/Time: 11/05/2011 11:51:17 PM
Type: Warning Category: 0
Event: 5014 Source: NETw4v32
Intel® Wireless WiFi Link 4965AGN : The driver cannot function because the network adapter is disabled.
Report run at 11/05/2011 7:59:24 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2011 11:21:03 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Log: 'System' Date/Time: 11/05/2011 11:21:03 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).
Log: 'System' Date/Time: 11/05/2011 11:49:35 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).
Log: 'System' Date/Time: 11/05/2011 11:51:32 PM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 7:49:17 PM on 5/11/2011 was unexpected.
Log: 'System' Date/Time: 11/05/2011 11:53:02 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2011 11:19:14 PM
Type: Warning Category: 0
Event: 5014 Source: NETw4v32
Intel® Wireless WiFi Link 4965AGN : The driver cannot function because the network adapter is disabled.
Log: 'System' Date/Time: 11/05/2011 11:51:17 PM
Type: Warning Category: 0
Event: 5014 Source: NETw4v32
Intel® Wireless WiFi Link 4965AGN : The driver cannot function because the network adapter is disabled.
#20
Posted 11 May 2011 - 06:29 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
This is what is causing the nasty message:
Log: 'System' Date/Time: 11/05/2011 11:21:03 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).
For some reason this service is failing. You can read about it here:
http://www.blackvipe...tware_Licensing
I found one post where the guy was able to fix it by stopping and starting the service. It calls itself Software Licensing in the service list. The short name for it is slsvc and the file itself is: C:\Windows\system32\SLsvc.exe. Try and submit the file to http://virustotal.com and copy and paste the report even if it says 0/40 or so.
You can try to start the service from a Command Prompt (Run As Administrator):
sc start slsvc
to stop the service you can type:
sc stop slsvc
I wonder if it would help to run the extended disk check from the maker of the hard drive? Perhaps then we could get the chkdsk to run all the way through.
Ron
Log: 'System' Date/Time: 11/05/2011 11:21:03 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).
For some reason this service is failing. You can read about it here:
http://www.blackvipe...tware_Licensing
I found one post where the guy was able to fix it by stopping and starting the service. It calls itself Software Licensing in the service list. The short name for it is slsvc and the file itself is: C:\Windows\system32\SLsvc.exe. Try and submit the file to http://virustotal.com and copy and paste the report even if it says 0/40 or so.
You can try to start the service from a Command Prompt (Run As Administrator):
sc start slsvc
to stop the service you can type:
sc stop slsvc
I wonder if it would help to run the extended disk check from the maker of the hard drive? Perhaps then we could get the chkdsk to run all the way through.
Ron
#21
Posted 11 May 2011 - 06:32 PM
j1a3g8
- Topic Starter
-
- Member
-
- 12 posts
Member
Ok, I'm trying to run GMER but I keep getting kicked off. I disabled Avast but I'm not sure what else I'm overlooking?
#22
Posted 11 May 2011 - 06:37 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Sometimes you have to uncheck all but one of the options on the right side. Then if that runs, add one more and try again. Remember to right click and Run As Administrator.
#23
Posted 11 May 2011 - 07:07 PM
j1a3g8
- Topic Starter
-
- Member
-
- 12 posts
Member
Ok hopefully this is what you need below for the VT report.. said 0/42. I tried Command Prompt and it says "does not recognize as internal/external command, etc.."
Antivirus Version Last Update Result
AhnLab-V3 2011.05.12.00 2011.05.11 -
AntiVir 7.11.7.240 2011.05.11 -
Antiy-AVL 2.0.3.7 2011.05.11 -
Avast 4.8.1351.0 2011.05.11 -
Avast5 5.0.677.0 2011.05.11 -
AVG 10.0.0.1190 2011.05.12 -
BitDefender 7.2 2011.05.12 -
CAT-QuickHeal 11.00 2011.05.11 -
ClamAV 0.97.0.0 2011.05.11 -
Commtouch 5.3.2.6 2011.05.12 -
Comodo 8668 2011.05.12 -
DrWeb 5.0.2.03300 2011.05.12 -
eSafe 7.0.17.0 2011.05.11 -
eTrust-Vet 36.1.8322 2011.05.12 -
F-Prot 4.6.2.117 2011.05.11 -
F-Secure 9.0.16440.0 2011.05.12 -
Fortinet 4.2.257.0 2011.05.11 -
GData 22 2011.05.12 -
Ikarus T3.1.1.103.0 2011.05.12 -
Jiangmin 13.0.900 2011.05.11 -
K7AntiVirus 9.103.4624 2011.05.11 -
Kaspersky 9.0.0.837 2011.05.11 -
McAfee 5.400.0.1158 2011.05.12 -
McAfee-GW-Edition 2010.1D 2011.05.11 -
Microsoft 1.6802 2011.05.11 -
NOD32 6114 2011.05.11 -
Norman 6.07.07 2011.05.11 -
nProtect 2011-05-11.02 2011.05.11 -
Panda 10.0.3.5 2011.05.11 -
PCTools 7.0.3.5 2011.05.11 -
Prevx 3.0 2011.05.12 -
Rising 23.57.02.05 2011.05.11 -
Sophos 4.65.0 2011.05.12 -
SUPERAntiSpyware 4.40.0.1006 2011.05.12 -
Symantec 20101.3.2.89 2011.05.12 -
TheHacker 6.7.0.1.195 2011.05.11 -
TrendMicro 9.200.0.1012 2011.05.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.12 -
VBA32 3.12.16.0 2011.05.11 -
VIPRE 9257 2011.05.12 -
ViRobot 2011.5.11.4453 2011.05.11 -
VirusBuster 13.6.349.0 2011.05.11 -
Additional information
Show all
MD5 : a1dcd30534835cb67733ad00175125a6
SHA1 : 91edcdab26214cd77c63a340b88db32bbc54534f
SHA256: 04e77f80d365ed8a500b5818015739b7d3562c528cc005e63012d07767132d71
ssdeep: 49152:xLHYOuNsINAiBksRtHRqEhl1R+qKCQmd1SpR303nrBuxb:J4CqAPyMElb8mdSk38
File size : 2605568 bytes
First seen: 2009-02-13 21:09:46
Last seen : 2011-05-12 00:51:41
TrID:
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Software Licensing Service
original name: SLService
internal name: SLService
file version.: 6.0.6000.16509 (vista_gdr.070620-1500)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0xAE756
timedatestamp....: 0x4679D9FE (Thu Jun 21 01:53:02 2007)
machinetype......: 0x14c (I386)
[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.pexe, 0x1000, 0x48A, 0x600, 3.87, a6cbef2a276fbd2d2cab484a37097151
.text, 0x2000, 0x2151DE, 0x215200, 6.67, 4e746d963e014344f9a10fa965ad334a
.data, 0x218000, 0x4723D, 0x47400, 7.76, 4da579dbbf0ae0a814deef29830cb604
.rsrc, 0x260000, 0x2188, 0x2200, 3.26, 6790c2c872b5a8f7ddadfaa30403599c
.reloc, 0x263000, 0x1CF5C, 0x1D000, 6.74, 5e372adf6114e8ea07fe50ff94635f26
[[ 8 import(s) ]]
ADVAPI32.dll: TraceEvent, EventUnregister, EventWrite, EventEnabled, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCloseKey, CloseServiceHandle, EventRegister, SetServiceStatus, NotifyServiceStatusChangeW, ControlService, QueryServiceStatus, OpenServiceW, OpenSCManagerW, RegOpenKeyExW, RegQueryValueExW, StartServiceW, RegisterServiceCtrlHandlerW, StartServiceCtrlDispatcherW, RegSetValueExW, RegCreateKeyExW, LsaClose, LsaFreeMemory, LsaQueryInformationPolicy, LsaOpenPolicy, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, ConvertStringSidToSidW, RegDeleteValueW, WmiOpenBlock, SystemFunction036, WmiQueryAllDataW, ConvertStringSecurityDescriptorToSecurityDescriptorW, CryptReleaseContext, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptAcquireContextW, CryptGetHashParam, CryptDestroyKey, CryptEncrypt, CryptDecrypt, CryptImportKey, CryptSignHashA, CryptVerifySignatureA, CryptExportKey, CryptGenKey, CryptVerifySignatureW, GetCurrentHwProfileW, DeregisterEventSource, ReportEventW, RegisterEventSourceW, ConvertSidToStringSidW, LookupAccountNameW, RegisterTraceGuidsA, WmiCloseBlock
KERNEL32.dll: CreateTimerQueueTimer, CreateTimerQueue, GetComputerNameExW, FileTimeToSystemTime, EncodePointer, GetTickCount, DeleteTimerQueueEx, ExpandEnvironmentStringsW, SystemTimeToFileTime, GetLocalTime, GetSystemInfo, IsWow64Process, MultiByteToWideChar, LCMapStringW, GetSystemFirmwareTable, CompareFileTime, GetCurrentProcessId, RegisterWaitForSingleObject, DuplicateHandle, LoadLibraryA, UnregisterWaitEx, DeleteTimerQueueTimer, DeleteTimerQueue, QueueUserWorkItem, OpenThread, SetThreadPriority, GetCurrentThreadId, GetCurrentProcess, GetProcessHeaps, HeapQueryInformation, SleepEx, InitializeCriticalSectionAndSpinCount, CreateEventW, ResetEvent, InterlockedExchange, WaitForSingleObject, InterlockedDecrement, InterlockedIncrement, HeapSetInformation, GetVersionExW, DeleteCriticalSection, CloseHandle, DecodePointer, HeapFree, GetProcessHeap, HeapAlloc, GetModuleHandleExW, TzSpecificLocalTimeToSystemTime, GetDevicePowerState, WaitForMultipleObjects, ReleaseSemaphore, CreateSemaphoreA, InterlockedExchangeAdd, MoveFileExW, ReadFile, SetFilePointer, ChangeTimerQueueTimer, GetThreadPriority, GetSystemDefaultLangID, GetFileSize, CreateFileMappingW, MapViewOfFile, GetComputerNameW, GetLocaleInfoW, GetDateFormatW, GetTimeFormatW, GetVersionExA, UnmapViewOfFile, GetSystemDirectoryW, GlobalMemoryStatusEx, GetNativeSystemInfo, GetSystemTime, WideCharToMultiByte, GetPrivateProfileStringW, GetPrivateProfileSectionW, CreateDirectoryW, IsProcessorFeaturePresent, FlushFileBuffers, GetLastError, SetEvent, InterlockedCompareExchange, EnterCriticalSection, LeaveCriticalSection, LoadLibraryW, GetProcAddress, FreeLibrary, LocalAlloc, LocalFree, OpenProcess, DelayLoadFailureHook, Sleep, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, ExitProcess, VirtualAlloc, VirtualFree, GetVersion, VirtualProtect, SetLastError, GetFileAttributesW, WriteFile, CreateFileW, lstrlenW, InitializeCriticalSection, SetFileAttributesW, CopyFileW, DeleteFileW, DeviceIoControl
msvcrt.dll: _purecall, memcpy, __3@YAXPAX@Z, __2@YAPAXI@Z, memset, _beginthreadex, _controlfp, _terminate@@YAXXZ, _onexit, _lock, __dllonexit, _unlock, _except_handler4_common, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, ___U@YAPAXI@Z, _amsg_exit, _initterm, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, _wtof, swscanf, wcsncmp, _wcsnicmp, _wtol, wcschr, _wcsicmp, __setusermatherr, sscanf, _wtoi, time, srand, rand, memmove, _vsnwprintf, _ui64tow, _itow, malloc, free, memcpy_s, memchr, _ftol2, _CIlog10, ceil, ___V@YAXPAX@Z
ntdll.dll: RtlLeaveCriticalSection, NtLockProductActivationKeys, NtSetInformationThread, NtQueryInformationProcess, NtSetInformationProcess, NtQueryInformationThread, RtlEnterCriticalSection, NtQueryLicenseValue, RtlInitUnicodeString, ShipAssert
RPCRT4.dll: RpcRaiseException, I_RpcMapWin32Status, RpcMgmtStopServerListening, RpcServerUnregisterIf, I_RpcBindingInqLocalClientPID, RpcServerInqCallAttributesW, RpcServerRegisterIfEx, NdrServerCall2, UuidCreate, UuidToStringW, UuidFromStringW, RpcImpersonateClient, RpcRevertToSelfEx, RpcServerRegisterIf2, RpcStringBindingComposeW, RpcBindingFromStringBindingW, I_RpcExceptionFilter, RpcStringFreeW, RpcBindingFree, RpcServerListen, RpcServerUseProtseqEpW, NdrClientCall2
slc.dll: SLOpen
USER32.dll: CharNextW, CharPrevW
DNSAPI.dll: DnsQuery_W, DnsModifyRecordsInSet_W, DnsFree
[[ 1 export(s) ]]
_SPVersion@@3PADA
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 2183680
CompanyName: Microsoft Corporation
EntryPoint: 0xae756
FileDescription: Microsoft Software Licensing Service
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 2.5 MB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.0.6000.16509 (vista_gdr.070620-1500)
FileVersionNumber: 6.0.6000.16509
ImageVersion: 21315.20512
InitializedDataSize: 420864
InternalName: SLService
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.0
ObjectFileType: Executable application
OriginalFilename: SLService
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.0.6000.16509
ProductVersionNumber: 6.0.6000.16509
Subsystem: Windows command line
SubsystemVersion: 6.0
TimeStamp: 2007:06:21 03:53:02+02:00
UninitializedDataSize: 0
Symantec reputation:Suspicious.Insight
VT Community
Antivirus Version Last Update Result
AhnLab-V3 2011.05.12.00 2011.05.11 -
AntiVir 7.11.7.240 2011.05.11 -
Antiy-AVL 2.0.3.7 2011.05.11 -
Avast 4.8.1351.0 2011.05.11 -
Avast5 5.0.677.0 2011.05.11 -
AVG 10.0.0.1190 2011.05.12 -
BitDefender 7.2 2011.05.12 -
CAT-QuickHeal 11.00 2011.05.11 -
ClamAV 0.97.0.0 2011.05.11 -
Commtouch 5.3.2.6 2011.05.12 -
Comodo 8668 2011.05.12 -
DrWeb 5.0.2.03300 2011.05.12 -
eSafe 7.0.17.0 2011.05.11 -
eTrust-Vet 36.1.8322 2011.05.12 -
F-Prot 4.6.2.117 2011.05.11 -
F-Secure 9.0.16440.0 2011.05.12 -
Fortinet 4.2.257.0 2011.05.11 -
GData 22 2011.05.12 -
Ikarus T3.1.1.103.0 2011.05.12 -
Jiangmin 13.0.900 2011.05.11 -
K7AntiVirus 9.103.4624 2011.05.11 -
Kaspersky 9.0.0.837 2011.05.11 -
McAfee 5.400.0.1158 2011.05.12 -
McAfee-GW-Edition 2010.1D 2011.05.11 -
Microsoft 1.6802 2011.05.11 -
NOD32 6114 2011.05.11 -
Norman 6.07.07 2011.05.11 -
nProtect 2011-05-11.02 2011.05.11 -
Panda 10.0.3.5 2011.05.11 -
PCTools 7.0.3.5 2011.05.11 -
Prevx 3.0 2011.05.12 -
Rising 23.57.02.05 2011.05.11 -
Sophos 4.65.0 2011.05.12 -
SUPERAntiSpyware 4.40.0.1006 2011.05.12 -
Symantec 20101.3.2.89 2011.05.12 -
TheHacker 6.7.0.1.195 2011.05.11 -
TrendMicro 9.200.0.1012 2011.05.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.12 -
VBA32 3.12.16.0 2011.05.11 -
VIPRE 9257 2011.05.12 -
ViRobot 2011.5.11.4453 2011.05.11 -
VirusBuster 13.6.349.0 2011.05.11 -
Additional information
Show all
MD5 : a1dcd30534835cb67733ad00175125a6
SHA1 : 91edcdab26214cd77c63a340b88db32bbc54534f
SHA256: 04e77f80d365ed8a500b5818015739b7d3562c528cc005e63012d07767132d71
ssdeep: 49152:xLHYOuNsINAiBksRtHRqEhl1R+qKCQmd1SpR303nrBuxb:J4CqAPyMElb8mdSk38
File size : 2605568 bytes
First seen: 2009-02-13 21:09:46
Last seen : 2011-05-12 00:51:41
TrID:
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Software Licensing Service
original name: SLService
internal name: SLService
file version.: 6.0.6000.16509 (vista_gdr.070620-1500)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0xAE756
timedatestamp....: 0x4679D9FE (Thu Jun 21 01:53:02 2007)
machinetype......: 0x14c (I386)
[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.pexe, 0x1000, 0x48A, 0x600, 3.87, a6cbef2a276fbd2d2cab484a37097151
.text, 0x2000, 0x2151DE, 0x215200, 6.67, 4e746d963e014344f9a10fa965ad334a
.data, 0x218000, 0x4723D, 0x47400, 7.76, 4da579dbbf0ae0a814deef29830cb604
.rsrc, 0x260000, 0x2188, 0x2200, 3.26, 6790c2c872b5a8f7ddadfaa30403599c
.reloc, 0x263000, 0x1CF5C, 0x1D000, 6.74, 5e372adf6114e8ea07fe50ff94635f26
[[ 8 import(s) ]]
ADVAPI32.dll: TraceEvent, EventUnregister, EventWrite, EventEnabled, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCloseKey, CloseServiceHandle, EventRegister, SetServiceStatus, NotifyServiceStatusChangeW, ControlService, QueryServiceStatus, OpenServiceW, OpenSCManagerW, RegOpenKeyExW, RegQueryValueExW, StartServiceW, RegisterServiceCtrlHandlerW, StartServiceCtrlDispatcherW, RegSetValueExW, RegCreateKeyExW, LsaClose, LsaFreeMemory, LsaQueryInformationPolicy, LsaOpenPolicy, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, ConvertStringSidToSidW, RegDeleteValueW, WmiOpenBlock, SystemFunction036, WmiQueryAllDataW, ConvertStringSecurityDescriptorToSecurityDescriptorW, CryptReleaseContext, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptAcquireContextW, CryptGetHashParam, CryptDestroyKey, CryptEncrypt, CryptDecrypt, CryptImportKey, CryptSignHashA, CryptVerifySignatureA, CryptExportKey, CryptGenKey, CryptVerifySignatureW, GetCurrentHwProfileW, DeregisterEventSource, ReportEventW, RegisterEventSourceW, ConvertSidToStringSidW, LookupAccountNameW, RegisterTraceGuidsA, WmiCloseBlock
KERNEL32.dll: CreateTimerQueueTimer, CreateTimerQueue, GetComputerNameExW, FileTimeToSystemTime, EncodePointer, GetTickCount, DeleteTimerQueueEx, ExpandEnvironmentStringsW, SystemTimeToFileTime, GetLocalTime, GetSystemInfo, IsWow64Process, MultiByteToWideChar, LCMapStringW, GetSystemFirmwareTable, CompareFileTime, GetCurrentProcessId, RegisterWaitForSingleObject, DuplicateHandle, LoadLibraryA, UnregisterWaitEx, DeleteTimerQueueTimer, DeleteTimerQueue, QueueUserWorkItem, OpenThread, SetThreadPriority, GetCurrentThreadId, GetCurrentProcess, GetProcessHeaps, HeapQueryInformation, SleepEx, InitializeCriticalSectionAndSpinCount, CreateEventW, ResetEvent, InterlockedExchange, WaitForSingleObject, InterlockedDecrement, InterlockedIncrement, HeapSetInformation, GetVersionExW, DeleteCriticalSection, CloseHandle, DecodePointer, HeapFree, GetProcessHeap, HeapAlloc, GetModuleHandleExW, TzSpecificLocalTimeToSystemTime, GetDevicePowerState, WaitForMultipleObjects, ReleaseSemaphore, CreateSemaphoreA, InterlockedExchangeAdd, MoveFileExW, ReadFile, SetFilePointer, ChangeTimerQueueTimer, GetThreadPriority, GetSystemDefaultLangID, GetFileSize, CreateFileMappingW, MapViewOfFile, GetComputerNameW, GetLocaleInfoW, GetDateFormatW, GetTimeFormatW, GetVersionExA, UnmapViewOfFile, GetSystemDirectoryW, GlobalMemoryStatusEx, GetNativeSystemInfo, GetSystemTime, WideCharToMultiByte, GetPrivateProfileStringW, GetPrivateProfileSectionW, CreateDirectoryW, IsProcessorFeaturePresent, FlushFileBuffers, GetLastError, SetEvent, InterlockedCompareExchange, EnterCriticalSection, LeaveCriticalSection, LoadLibraryW, GetProcAddress, FreeLibrary, LocalAlloc, LocalFree, OpenProcess, DelayLoadFailureHook, Sleep, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, ExitProcess, VirtualAlloc, VirtualFree, GetVersion, VirtualProtect, SetLastError, GetFileAttributesW, WriteFile, CreateFileW, lstrlenW, InitializeCriticalSection, SetFileAttributesW, CopyFileW, DeleteFileW, DeviceIoControl
msvcrt.dll: _purecall, memcpy, __3@YAXPAX@Z, __2@YAPAXI@Z, memset, _beginthreadex, _controlfp, _terminate@@YAXXZ, _onexit, _lock, __dllonexit, _unlock, _except_handler4_common, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, ___U@YAPAXI@Z, _amsg_exit, _initterm, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, _wtof, swscanf, wcsncmp, _wcsnicmp, _wtol, wcschr, _wcsicmp, __setusermatherr, sscanf, _wtoi, time, srand, rand, memmove, _vsnwprintf, _ui64tow, _itow, malloc, free, memcpy_s, memchr, _ftol2, _CIlog10, ceil, ___V@YAXPAX@Z
ntdll.dll: RtlLeaveCriticalSection, NtLockProductActivationKeys, NtSetInformationThread, NtQueryInformationProcess, NtSetInformationProcess, NtQueryInformationThread, RtlEnterCriticalSection, NtQueryLicenseValue, RtlInitUnicodeString, ShipAssert
RPCRT4.dll: RpcRaiseException, I_RpcMapWin32Status, RpcMgmtStopServerListening, RpcServerUnregisterIf, I_RpcBindingInqLocalClientPID, RpcServerInqCallAttributesW, RpcServerRegisterIfEx, NdrServerCall2, UuidCreate, UuidToStringW, UuidFromStringW, RpcImpersonateClient, RpcRevertToSelfEx, RpcServerRegisterIf2, RpcStringBindingComposeW, RpcBindingFromStringBindingW, I_RpcExceptionFilter, RpcStringFreeW, RpcBindingFree, RpcServerListen, RpcServerUseProtseqEpW, NdrClientCall2
slc.dll: SLOpen
USER32.dll: CharNextW, CharPrevW
DNSAPI.dll: DnsQuery_W, DnsModifyRecordsInSet_W, DnsFree
[[ 1 export(s) ]]
_SPVersion@@3PADA
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 2183680
CompanyName: Microsoft Corporation
EntryPoint: 0xae756
FileDescription: Microsoft Software Licensing Service
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 2.5 MB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.0.6000.16509 (vista_gdr.070620-1500)
FileVersionNumber: 6.0.6000.16509
ImageVersion: 21315.20512
InitializedDataSize: 420864
InternalName: SLService
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.0
ObjectFileType: Executable application
OriginalFilename: SLService
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.0.6000.16509
ProductVersionNumber: 6.0.6000.16509
Subsystem: Windows command line
SubsystemVersion: 6.0
TimeStamp: 2007:06:21 03:53:02+02:00
UninitializedDataSize: 0
Symantec reputation:Suspicious.Insight
VT Community
#24
Posted 11 May 2011 - 07:29 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
If you just type:
sc
does it not find it? SC by itself will normally give you a help message.
The file sc.exe should live in C:\Windows\System32\
There should be a space after SC and after START.
Ron
sc
does it not find it? SC by itself will normally give you a help message.
The file sc.exe should live in C:\Windows\System32\
There should be a space after SC and after START.
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
