Command Service malware problem

[Gunther409]

Well, I don't claim to be any expert on computers but usually I run spybot S&D and everything is happy again. But this time "Command Service" has me by the short curlies and I'm not sure what to do and I don't like messing with the registry (which I've done successfully in the past but it makes me nervous as hell.) I'm pretty sure it's more than just Command Service, but I don't know what.

I've got a registry log from HijackThis and i'm hoping somebody can explain it to me. I know it says not everything that appears in the Registry log is bad and that it's not the entire registry, but how do I separate the good from the bad? Advice is much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:40 AM, on 4/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\b2xvbG9sb2xvbA\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{D436A90C-0BB7-1033-1025-050823060001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\FNTS~1\nopdb.exe
C:\WINDOWS\system32\s?mbols\m?dtc.exe
C:\PROGRA~1\COMMON~1\rfwr\rfwrm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\rfwr\rfwra.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\MDM.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Kazaa Lite\kazaalite.kpp
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\SassyWassy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15B7A93D-3DA5-3907-AB3B-68E34BECAAEF} - C:\WINDOWS\System32\aorcie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3436A~1\Bar888.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3436A~1\Bar888.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Ohoo] "C:\WINDOWS\FNTS~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [rfwr] C:\PROGRA~1\COMMON~1\rfwr\rfwrm.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168643236812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168643497296
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Shaba]

Hi Gunther409

We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.

[Gunther409]

Hey everyone and thanks for the tip-off that I'm not updated. But I've got yet another problem, it says my CD key is invalid. INVALID what a load, I'm starring at the box as we speak! My CD-key is perfect.

So for whatever reason I can't install SP1a, which bums me out. Windows update tells me that all of my updates are complete though, so from that I can only come to the conclusion that there are other updates it won't allow me to get unless I can figure my problem out.

Do I have to register windows in order for it to work?

[Shaba]

Hi

Well if it says that CD key is invalid, your copy of windows isn't most likely legit.
It might not be your fault (could as well be computer manufacturers fault), but I can't help you before SP1 installation. I think you should contact either Microsoft or computer manufacturer for that issue.

[Gunther409]

Sorry for my continuous belated responses by the time I get home I just want to sleep. As for my problem all i've got to say is:

Son of a ....well you know.

Man I hate talking to those idiots at Microsoft I've needed their help twice before in my life and twice they've had no clue what they were doing. I dread yet another call to that Indian circus they call tech support. On the bright side after some tampering I've finally managed to track down and eliminate the virus manually without doing any damage to my registry. Currently this is being classified as a miracle.

A quick question that may clear this problem up though, I have more than one computer that runs on the same CD key(both in the same house hold), could this be the root of my problem? I don't register my keys because I don't know what would happen to my key if my computer had a melt-down, which it's prone to do. Can I register the same CD key to two computers at one time? Also will registering my key (which i'm reluctant to do for said reason) allow me to download SP1A?

Also, what if anything else can I do to protect my computer (which you seem to be reluctant to tell me for some reason.) Thankfully viruses are a rare and usually non-critical event for me, so maybe I should just get ZoneAlarm or something?

[Shaba]

Hi

"I have more than one computer that runs on the same CD key(both in the same house hold), could this be the root of my problem?"

Yes, I think so.

"Can I register the same CD key to two computers at one time?"

No, it won't work (will work only in special cases).

"Also will registering my key (which i'm reluctant to do for said reason) allow me to download SP1A?"

If you use it in one computer only, yes.

"Also, what if anything else can I do to protect my computer (which you seem to be reluctant to tell me for some reason.) "

You can see reason from my previous post

[Gunther409]

"Also, what if anything else can I do to protect my computer (which you seem to be reluctant to tell me for some reason.) "

You can see reason from my previous post

Because I don't have SP1A? Well, fair enough if that's you're decision. Maybe you can help me with something else then.

I'm thinking seriously about moving to an alternative operating system, do know if spybot will work on anything besides Windows? I've been contemplating moving my info to Linux or some similar program. I like windows, but I simply can't afford another copy so I can have them on both systems. Especially since Microsoft seems so keen to twist my arm into buying Vista anyways. I hear talks their tech support will go the way of Windows 95 into non-existence.

Hope that doesn't paint me as a bitter person...oh well.

[Shaba]

Hi

"Because I don't have SP1A? "

No, because you use same key in two computers and don't want to register you key that would make you to be able to download & install SP1.

Spybot will in work in Windows only.

[Gunther409]

So a moral thing eh'? Well if that's your thing that's cool with me. Thanks for the answer about windows only.

[Shaba]

Hi

"So a moral thing eh'? "

Kind of, yes. I consider that your other copy of windows is illegal because you use same key in two computers.