Deleted services.exe...

[bizzare_blue]

Hi,
One of my friends has a HP PC with Windows XP SP2 installed. The other day his comp was infected with a few!! viruses and a Trojan Horse(Detected through NAV Corporate edition). The AV was not able to repair the infected files so my friend deleted those files.

Now when he swithes on his PC, an error is reported after logon...which is something as follows:

"Windows cannot detect C:\Windows\inet2004\services.com"...
When he presses the OK button he gets another error message which states:

"Could not load or run C:\Windows\inet2004\services.exe specified in the registry. Make sure the file is present."

How can he correct this problem?

Also, from the day my friend deleted those infected files, he is not able to open certain websites such as gmail.google.com and www.google.com although www.google.co.in is accessible. Also, when he tries to open www.orkut.com, the page appears but the login area is not present....

Then he downloaded flash player from internet but could not install it as there was an error which said...

"C:\Documents and Settings\G\Desktop\intall_flash_player.exe is not a valid Win32 application."

What is the cause of this error?

Please help me help my friend as soon as possible.

 

[s18000rpm]

==>>run "sfc/scannow"



=>IMHO Uninstall the Norton AV.
=>Download Free Anti-Virus like AVG, Avast... & scan your PC.

 

[bizzare_blue]

==>>run "sfc/scannow"



=>IMHO Uninstall the Norton AV.
=>Download Free Anti-Virus like AVG, Avast... & scan your PC.

I have already uninstalled Norton AV from his computer and have given him Avast Home Edition... Will try the sfc thing now..

 

[sakumar79]

Run msconfig and check out startup entries. Delete the entries mentioned above as missing. Restart...

Run antivirus and antispyware scans (preferably in safe mode). Finally, run a registry cleaner to scan and fix invalid registry entries.

Arun

 

[it_waaznt_me]

Well well well .. Norton found the virus and you are telling him to remove Norton and not the virus .. ..
SFC is used for replacing Windows system files if they've been modified by a virus or a bad patch ..
Here the services.exe that your are referring to is not a system file .. This inet2004 looks like to me a spyware which wasnt properly cleaned.

What you should do is to run HijackThis on the affected machine and post the log file here .

 

[s18000rpm]

well, the removing Norton was just "my Opinion", i didnt advice him to remove it.
& Norton was unable to remove/repair it.

btw i think you're probably right about the Spyware attack.

 

[anandk]

yep; posting the hijackthis logfile here or at www.hijackthis.de for analysis is the best option, do so soon, please

 

[bizzare_blue]

He did the sfc thing but to no avail so now I am posting the log file from HijackThis..

Logfile of HijackThis v1.99.1
Scan saved at 12:20:27 AM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\user\My Documents\HijackThis.exe
E:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/**www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [RPCInstall] C:\DOCUME~1\user\LOCALS~1\Temp\REGISTRYFIX.EXE
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\aoafmrav5064406.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

I am waitin for the reply....plz help me..and wat about the solution to the prob he's facing with ORKUT and GMAIL...

 

[Vishal Gupta]

Fix these:

F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O4 - HKLM\..\RunOnce: [RPCInstall] C:\DOCUME~1\user\LOCALS~1\Temp\REGISTRYFIX.EXE
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\aoafmrav5064406.exe

 

[bizzare_blue]

@Vishal...the errors which appeared after logging-in are gone but he still cannot access www.orkut.com and gmail.google.com

flash player is also not installing...invalid Win32 application error occurs...wat to do?

 

[it_waaznt_me]

Also fix this :

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

The Flash player installer is probable corrupted, download a fresh one and try installing with it.

For accessing Orkut and Gmail try this :
Start > Run > Cmd {Press Enter}
ipconfig /flushdns {Press Enter}

 

[bizzare_blue]

My Friend tried everything...The error msg(at logon) was gone...but still he could access Gmail and Orkut, so finally I advised him to reinstall Windows and the problem was solved thereby...

thank you everyone for the support...