View Full Version : Command Service Problems
BigRed0926
2007-04-14, 00:11
Hi guys, this is my first time posting here so i hope i get it right
I cant get a log from an online virus scanner because i'm having internet issues on my computer, but i have run trendmicro, spybot and adaware several times this week. each time I clean things out my comuter is full of malicious items again within aday or two.
My computer eventually stopped booting up normally, so i ran both adware and spybot in safe mode, but was unable to remove "Command Service" even when running both immediately after booting up. At this point i ran HJT and will post a log below.
Running these scans did allow me to boot up normally, however my internet stopped working. I then can a winsockxp fix program that was recommended to me in another forum, which got it working again, but it quickly slowed to a crawl.
Here is my HJT log:
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Fraser\304.exe
O4 - HKLM\..\Run: [{6C8BD4ED-0958-1033-0601-040210040001}] "C:\Program Files\Common Files\{6C8BD4ED-0958-1033-0601-040210040001}\Update.exe" mc-110-12-0000904
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\system32\clcl3.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvwxvw.dll",realset
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwcc.ops.placeware.com/etc/place/CHARLIE/CHApws-c2/5.1.8.511/lib/quicksilver.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\ecclbah.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 - Unknown - C:\Documents and Settings\ie_updater.exe
I already tried fixing some of teh obviously items with HJT but i can't seem to solve this myself. Hope you can help me.
Sincerely,
Fraser Retallack
I then can a winsockxp fix program that was recommended to me in another forum,
Hello,
Please link to the topic, also your HJT log is incomplete, our helpers will need to see the header.
Cheers. :)
BigRed0926
2007-04-14, 22:10
Hello,
Please link to the topic, also your HJT log is incomplete, our helpers will need to see the header.
Cheers. :)
Sorry the topic was for a different problem altogether and it was so long ago that I cant remember what forum it was on.
Heres my entire HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 2:03:42 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\clcl3.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Downloads\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp17E.tmp.dll
O2 - BHO: (no name) - {80e259e1-3b24-47b1-8e7b-d427b2459ea1} - C:\WINDOWS\system32\dnsmui.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Fraser\304.exe
O4 - HKLM\..\Run: [{6C8BD4ED-0958-1033-0601-040210040001}] "C:\Program Files\Common Files\{6C8BD4ED-0958-1033-0601-040210040001}\Update.exe" mc-110-12-0000904
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\system32\clcl3.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvwxvw.dll",realset
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ocmvjhk.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwcc.ops.placeware.com/etc/place/CHARLIE/CHApws-c2/5.1.8.511/lib/quicksilver.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\ecclbah.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 - Unknown - C:\Documents and Settings\ie_updater.exe
Thanks again,
Fraser
BigRed0926
2007-04-14, 22:31
Oops just noticed my scan was from teh wrong HJT version. Here is a scan from the new version:
Logfile of HijackThis v1.99.1
Scan saved at 1:22:25 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp17E.tmp.dll
O2 - BHO: (no name) - {80e259e1-3b24-47b1-8e7b-d427b2459ea1} - C:\WINDOWS\system32\dnsmui.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Fraser\304.exe
O4 - HKLM\..\Run: [{6C8BD4ED-0958-1033-0601-040210040001}] "C:\Program Files\Common Files\{6C8BD4ED-0958-1033-0601-040210040001}\Update.exe" mc-110-12-0000904
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\system32\clcl3.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\wvwxvw.dll",realset
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hhpoa.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwcc.ops.placeware.com/etc/place/CHARLIE/CHApws-c2/5.1.8.511/lib/quicksilver.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: dnsmui - C:\WINDOWS\SYSTEM32\dnsmui.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\ecclbah.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
Hello BigRed0926 and welcome to the Forums :)
Sorry for the long wait...
You're badly infected. I must warn that one or more of the identified infections is a backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post:bigthumb:
BigRed0926
2007-04-20, 07:10
Thank you for your reply. I had already seen an attempted withdrawel from my Neteller Account and changed my passwords, but I guess I will ahve to do it again. I guess I will just format then because an untrustworthy computer is no good to me.
I currently use two harddrives on that computer, would I have to format both to ensure security? Or just the one where I run my OS?
Also how do you suspect I would get infected by such a virus? I do many financial transactions online and am very concerned about this happening again.
Thanks for your help,
Fraser
BigRed0926
2007-04-20, 07:27
Sorry for the double post, but my other concern is that I will want to save some files from my harddrive such as my music collection. Does this run the risk of porting the virus over to my newly wiped drive? and if so is there a safe way to do it?
Hello :)
It is hard to find out where an infection has come. There are many possibilities...
I respect your decision to re-format...
It is very likely that both drives are infected. Be careful with the backups. Images, music and text should be safe to backup. Watch out for program files such as exes and dlls, you don't want to transfer the infections to the clean system...
Please make sure that you know what to do before beginning the operation.
Here are a few links that propably help.
Reformatting Windows XP by wng_z3r0 (http://spyware-free.us/tutorials/reformat/mainnopics.html)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)
Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).
These are good (free) firewalls:
- Kerio (http://www.sunbelt-software.com/Kerio.cfm)
- Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
- Outpost (http://www.majorgeeks.com/download.php?det=1056)
These are good (free) antiviruses:
- Antivir (http://www.free-av.com)
- Avast (http://www.avast.com)
- AVG (http://free.grisoft.com)
Get all Windows updates installed!
Please ask me if you have any questions :)
Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.